Amazon's EC2 Having Problems With Spam and Malware

jamie pointed out a story about the recent problems Amazon's EC2 service has been having with malware and spam. "EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."

Death Penalty

[Archangel+Michael]

While I'm against the death penalty, I might be willing to consider it for spammers.

Re:Death Penalty

Now thats the REAL instance termination we need!

Not spam filters, SPAMMER filters!

Re:Death Penalty

[trytoguess]

Ah, spoken like someone's who's never lost a loved one or large sums of cash through human maliciousness, or been sexually assulted.

Re:Death Penalty

[hostyle]

Never fear citizen! The Waahmbulance is on its way.

Re:Death Penalty

[Hojima]

I don't see why the government doesn't prosecute the companies that have their products spammed. They are the absolute root of all this. Without them, there wouldn't be any placebos to sell so that they can hire more spammers. There's got to be SOME way to get to them.

Re:Death Penalty

[palegray.net]

Because oftentimes it isn't those companies' fault. Say you have an affiliate program, or you rely on a third-party affiliate program management firm to provide compensation for those who promote your products. You can have strict terms for those people that warn against using spamming tactics to promote their affiliate sales, and you can terminate the ones who get caught, but you can't ever guarantee compliance en masse.

Your suggestion is equivalent to throwing knife makers in prison because some of their customers misuse the product.

Re:Death Penalty

[Hojima]

Your suggestion is equivalent to throwing knife makers in prison because some of their customers misuse the product.

Actually, it's more like going after gun dealers who don't go through standard procedures before selling a gun. If you held the companies responsible, believe me there would be more initiative to prevent spamming. That, and it's not tough to nail companies that ship a large amount of placebos and claim them to do things they don't.

Re:Death Penalty

[palegray.net]

You're talking about two completely different things here. Your original idea was to hold the "final destination" companies responsible for the actions of spammers. This *will not work* in a great many cases for the reasons I cited in my previous post. Referencing your gun sales procedures analogy, it sounds like you've never run an affiliate program. Yes, you do your best to screen applicants to make sure they have a legitimate web presence before agreeing to allow them to market your products in exchange for commissions on sales. However, this is *really* easy to circumvent if someone is truly interested in using spam as a promotion mechanism. Would you advocate requiring something like a photo ID before allowing someone to do affiliate marketing? I'm sure Amazon.com and the like are sure to implement such a requirement any day now (light sarcasm). It would simply make your affiliate marketing program near-worthless in an age where people are extremely hesitant to part with a lot of their personal information, and wouldn't do anything to deter the spammers (in many ways resembling how gun control laws frequently do nothing to prevent crime, because criminals don't usually obtain their guns through legal channels anyhow).

As for nailing companies that ship products that don't work as advertised, we already have a mature legal framework for dealing with such organizations. Of course, that's assuming the business is operating in a jurisdiction where you can actually prosecute them (many, many foreign scam operations operate from dubious locales).

I sympathize with your frustration at the situation; I deal with it every day myself. I operate several servers that filter tens of thousands of inbound SPAM pieces a day. I have to deal with constant attacks on those servers from botnets trying to turn them into SPAM-churning zombies. It's a monthly balancing act deciding which IP blocks to ban based on nasty activity, without losing revenue from pageviews from legitimate visitors. In other words, I'd like to feed spammers their balls through the wrong end of their anatomy, but your methods simply aren't workable options.

Re:Death Penalty

[Gazzonyx]

kill -9 spammer_init
That's how I roll.

Re:Death Penalty

[localman]

As someone who has been involved with both sides of an affiliate program myself, I tend not to agree with your assessment. The company I worked for did an amazingly good job of keeping spammers from promoting our products. We had people on this continuously. These aren't random folks, they're people who we are paying (i.e. have an ongoing legal business relationship with) to bring customers to us. You can damn well bet it's our responsibility to make sure they act appropriately: they're our employees (claims of "independent contractor" notwithstanding).

I think that a reasonable legal framework for applying pressure to companies that benefit from spammers is warranted. I would have been glad to work under such a framework myself. Really, there's no excuse.

Cheers.

Re:Death Penalty

[VdG]

If that were done it would just become another extortion technique: cough up or I'll send SPAM in your name and the government will beat you up. Or just to hurt some company you've taken exception to.

Sure: if you can trace a Spammer back to a customer then take action against that customer. But I suspect that would be easier said than done.

Re:Death Penalty

[giafly]

I don't see why the government doesn't prosecute the companies that have their products spammed.

One reason is that much of the time the products are fake.

According to a recent [2005] study published in Britain, researchers purchased Viagra from several seemingly reputable Internet sources. They received what looked like branded Viagra, identically packaged like the real product. The sources of the pills were worldwide and included places like Thailand, India and Malta. The content of sildenafil was determined using near infrared microscopy.

Nearly half of the pills contained no active ingredient.

Re:Death Penalty

[Hojima]

That's mostly a problem for illegitimate companies. If you take a look the bulk of the spam that makes the major revenue (i.e. online pharmacies), you'll see that they rely on consistent spamming. Legitimate companies do not, and therefore the government will go a bit easy if there is a spammer out there that tries that. Without funds to go on, the spammer only wastes resources. Besides, the government knows that legitimate companies get themselves hurt with spam since it damages their rep. and they usually have the money to advertise in a more appropriate manner.

Re:Death Penalty

[VdG]

When SPAM first started it was from legitimate companies. And who says what's "legitimate"? Maybe a big company wouldn't want their name tarnished, but it might be more tempting for a smaller business. I can imagine some person running a business from home selling, say, macrame cooking pots over the internet deciding that a bit of spam was worthwhile as a cheap way to reach an international market. Or that spamming in the name of their rival down the road - or across the ocean - is tempting.

Terms of Service

[macx666]

They have the credit card numbers of these people, no? Add a $1000 (or more) charge to the TOS each time someone gets caught spamming through them. That should make a pretty clear point.

Re:Terms of Service

[thermian]

And what if the credit card in question is stolen?

Re:Terms of Service

[adolf]

Then the owner will actually notice that his/her card is stolen, and finally go over the bill with a fine-toothed comb, disputing charges as they go.

Nothing is lost.

Re:Terms of Service

[MBCook]

No kidding. I'd say you have to put up a bond if you want to be able send more than some small threshold of emails out per day (100?). If you're good, you are safe. Maybe you get your bond back after 6 months. If you misbehave, Amazon cuts you off and you just lost $5-$10k.

Re:Terms of Service

[macx666]

Then amazon needs to do a much better job of determining who their clients really are, and there are quite a few fairly reliable ways of doing so.

Nothing is perfect, but it can be made very hard.

Re:Terms of Service

[thermian]

That's something of an extreme approach. Not exactly the sort of behaviour that would endear a company to its customers.

If your EC2 account got hacked (which may happen if its worth the effort), you would end up hacked, billed, and having quite possibly a hell of a fight to get your cash back.

Re:Terms of Service

[MrMr]

Depends, if it is not reported stolen; tough luck for the card holder, if it is; tough luck for the credit card company.

Re:Terms of Service

[morgan_greywolf]

No problem. EC2 is unhackable!

ppppppffffffffffffffft. Sorry, I couldn't say that with a straight face. :)

Re:Terms of Service

Crap idea. Small start-ups use this kind of service instead of a dedicated server in a server farm. Compare costs and you'll see why.

What is small for emails? One small project I set up has over 5000 users, when their reports are ready they get notified, when something changes, they get notified.

6 months of spam will generate a hell of a lot more than thr $5-10k bond.

There are far better ways to stop spamming. Follow the money all the way to the companies selling the drugs, watches, or whatever. Someone is paying the piper to send the spam. Want it stopped. Slap massive fines onto the companies caught using them. Make it double per case. Shut them down if they persist.

Someone running a company is not going to want to use spammer once they're prosecuted and heavily fined.

Re:Terms of Service

[DittoBox]

Unless they use a fake visa (debit or check card) in which case the consumer has absolutely zero recourse.

Banks and credit unions are not held the same dispute structure as credit card companies (since the legislation concerning charge disputes was drafted and instituted during a more consumer-friendly congress than was legislation created for debit and check cards).

Re:Terms of Service

[adolf]

Perhaps.

Though (as you say) there's no law in place to enforce good behavior on the bank's part, I've always had decent luck with my bank when it came to sorting out weirdness with debit cards.

Re:Terms of Service

[rnswebx]

Actually, tough luck to vendor who allowed the fraudulent transaction. The credit card companies themselves typically have very little (any?) responsibilities when it comes to fraudulent transactions. It's entirely up to the vendor to do the proper verification prior to billing a transaction, as far as I know.

The problem is that these small fraudulent transactions are typically more expensive to track down than they are to write off. If someone racks up a $1,000 bill on the ec2 cloud with a stolen card, the credit card company isn't out a dime, and the vendor (in this case Amazon) isn't likely to spend much time finding and prosecuting whoever is using the stolen card because it's expensive and time consuming to do so. Sure, maybe some ip addresses will be blocked and cards added to blacklists (temporarily?) but that doesn't stop the next guy from doing the same with a new stolen card.

Re:Terms of Service

[Chalkboy]

Brilliant!

Re:Terms of Service

[merreborn]

Add a $1000 (or more) charge to the TOS each time someone gets caught spamming through them

As a web app developer, that's potentially a dealbreaker for me. Who determines what spam is?

According to the five-ten DNSBL, anything that's sent w/o a closed loop opt in is spam. So they block all sorts of ips the rest of us might think of as legitimate, like "microsoft, multiple public radio newsletters (from different radio stations in different states), travel notifications and newsletters from Expedia and Hotwire, lots of other newsletters and news updates from various newspapers and TV shows, and even the newsletter from my favorite pizza place back in my home town of Minneapolis." (source)

So, who's definition of spam are they using? Hell, half the email I get from digg ends up in my yahoo spam folder automatically.

Without a strict definition of what is and isn't spam, that TOS clause is absolutely unacceptable.

Re:Terms of Service

[MBCook]

Yes, they do sent tons of emails. I've worked on those systems as they started up. My idea of the cap was for people who are using the service for more background processing type things. Amazon can decide on their own magic level. Maybe it's 3,000 a day. Maybe 10k. Maybe it's based on your bond size.

Yes, you can send a ton of spam in 6 months, but you don't get to under by idea. As soon as you start spamming, you lose your bond. That's it.

So to get around the bond, you have to PAY $5-$10k, hold the account for 6 months (probably making it look used), and THEN start spamming after you get your bond back. That's a huge investment for only having part of a day to spam. As soon as your outgoing email traffic spikes from 10 emails a day to 1,000,000 they'll kill your account.

I'm not trying to stop all spam, I'm just trying to propose something Amazon can do on their service. It's not useful for Amazon to sue Pfizer over the Viagra spam being sent out.

Re:Terms of Service

[Atlantis-Rising]

You do know that to post a $5000 bond, you generally don't actually have to post $5000, right?

I believe the cost to post a $500,000 bond for someone with a fairly good credit record and sufficient security was about $1500/yr when last I checked.

Re:Terms of Service

[encoderer]

Actually, both Visa and MasterCard hold banks to the same "Zero Fraud Guarantee" policy for Debit Cards as they do Credit Cards.

In fact, if you search Visa.com for their Consumer Credit Card and Consumer Debit Card pages, you'll see that the Zero Fraud Policy link on both takes you to the same page.

They require that banks put provisional funds back into your account within 5 days of the dispute being made. Most banks do this the same day. I bank at BoA and they do it within hours.

The policy extends to charges incurred as a side-effect of the fraud, like overdrafts.

It does not apply to pin-based transactions, but there are no pin-based transactions on the web anyhow.

This makes sense if you think about it and it has nothing to do with Congress. Many people are transitioning away from cash. I hardly EVER carry cash. I use my Debit card for everything. And Visa has a vested interest in seeing this continue. A HUGE interest.

Besides, there is no difference between "Banks and credit unions" and "credit card companies."

Visa doesn't give out credit. They don't even give out credit-cards. They just provide a clearinghouse network. On their end, a Debit Card transaction (non-pin-based) looks identical to a CC transaction.

Of course, none of this applies if your debit card doesn't carry a Visa or MC logo. But if that's the case, you're not using it online, anyway.

Re:Terms of Service

[hostyle]

Don't like their terms? Don't use 'em! Its not like you're giving them money to filter out your spam, are you?

Re:Terms of Service

[LostCluster]

They have the credit card numbers of these people, no? Add a $1000 (or more) charge to the TOS each time someone gets caught spamming through them. That should make a pretty clear point.

You just don't get it. Spammers can make more than $1000 per instance of malware or spam blast if their hook is effective enough. Pay the penalty and spam again is what they'll do in that situation. Any profit can be duplicated repeatedly and that's how these guys work.

Amazon can't let these people back in the game after a short timeout or fine... they've got to ban them. Otherwise, the blackhole keepers will rightfully have reason to list them.

Re:Terms of Service

[mysidia]

There is possibility that some of the spamming is not being initiated by instance owners, but by blackhats who have hacked into someone else's Amazon EC2 instance and started using it to spew spam.

In that case Amazon would be pissing off an innocent customer: attempting to extort $1000 from them, and possibly putting themselves in an actionable position.

Meanwhile, spammers continue and don't care. The CCs were stolen anyways, they'll just make a dozen new accounts tomorrow with the next batch of fake CC#s. They're pretending to be innocent anyways: spammers don't admit they spam.

Anyways. It's Amazon's problem to solve. There are various ways they can counter EC2 abuse, their failure to do so is worse than negligence.

Adjustments to EC2 to discourage spam and various types of abuse may impose inconveniences for Amazon and their customers (Things like requiring validation of their identity, signed papers, a phone call, a waiting period before gaining access).

Plus the loss of business. In case some of the abusers of EC2 are actually paying for their use of EC2 to do evil bidding.

I don't care how Amazon solves it, only that they do solve it. Amazon has a responsibility to solve it, even if the solution necessarily imposes some inconvenience and cost for them and their customers.

The response should be: All mail from Amazon's site: all IP Blocks assigned to EC2 are blocked by all other sites.

Killing spamming instances is not a meaningful action. It sounds like a token gesture to try to placate objections to Amazon's behavior with minimum cost.

On the other hand, if various sites started blacklisting EC2, its connectivity to the rest of the world would be limited, causing customers to complain to Amazon, pressing them to take remedial action to end the blacklisting. (I.E. Suddenly ignoring the problem is not the least-costly option)

For example if a legitimate Amazon customer wanted to run a web site on EC2, but found that many people couldn't reach their web site (due to blacklisting of EC2), there would be a good chance that they complain to Amazon about the inconvenience or find another host.

The same principle would apply if mail server admins blacklisted EC2, but widened their blacklisting to actually include Amazon normal mail

(As an online retailer, Amazon should be very concerned about the reputation of mail coming from Amazon being spam or not, and of customers' ability to reach their web servers' ips)

I think for now though... the answer is, mail server operators throughout the world should see to it that they blacklist EC2's ranges from sending mail.

And (optionally) Amazon's other ranges, as a precautionary measure, since EC2 may expand, or Amazon may move EC2 to new IPs in response to blacklisting (rather than attempting to fix the problem).

Re:Terms of Service

[the_B0fh]

Only if you're buying it from a 3rd party/insurance company. If Amazon is charging *YOU* $5k bond, you have to put up all $5k with Amazon. Unless you buy a 3rd party bond. But, remember what you just said about good credit record? That means, if you're using a stolen credit card, you probably won't get it. Or, you may, in the first few cases, until the insurance/bond companies figure it out.

Re:Terms of Service

[EVil+Lawyer]

What's interesting about the set up (where the merchants are responsible for the fraud, not the credit card companies) is that the card companies have very little incentive to prevent fraud. In fact, they frequently have a disincentive: They collect a $25+ per charge "chargeback fee" from the merchants, for fraudulent charges. It would be in credit card companies' interests if fraud increased! (Of course, not past the level where merchants are hurt too badly to stop accepting cards).

Re:Terms of Service

[mysidia]

They'll dispute all the illegal $1000 charges by EC2 which would cost Amazon a hefty chargeback fee for each transaction reversed.

And possibly Amazon suffers other actions. Due to unjustifiable $1000 'surcharge' running afoul of consumer protection laws.

You and I may think spam's bad, but that's not going to convince a court that Amazon's justified in charging someone $1000 to send a few hundred emails.

Re:Terms of Service

[L0stm4n]

I lost my wallet once on a saturday and didn't notice until monday. I went out for more beer saturday night and my wallet fell out of my pocket ( best guess of what happened since the pants I was wearing always lost shit from the pocket when I sat down ) when I got in my friends car. Sunday I didn't go out so never looked for my wallet. Monday I looked and couldn't find it. Checked my bank of america online page and saw fraudulent charges. Mostly from local conveinence stores and wal-marts. I contacted BOA and the local police, BOA refunded all the money, including overdraft within a few hours. The police took a report, and never heard from them again. BOA never questioned the charges but asked I gave them a police report number. All was well. Issued a new card and got it in the mail a week or so later.

Re:Terms of Service

[Buran]

Not if Amazon then sends the agreement you signed when you signed up for service that includes "you will be charged $1000 if you violate these terms". The bank will turn around and say "Sorry, you lose, charge stands."

Re:Terms of Service

[KURAAKU+Deibiddo]

I really can't see Amazon actually implementing this, but supposedly they take malicious usage "very seriously." Earlier this week a server that I host had some script-kiddie at one of their IP addresses (67.202.37.137, if you want to block it) playing the guess-the-SSH-login-and-password game (until I set it to drop all packets from that IP). I've sent them the applicable sections of my logs; we'll see how well they handle it, but to be honest, I'm a bit skeptical.

I personally find it to be a bad sign that despite their whois information cites abuse@amazonaws.com as a technical contact, their mailserver bounces it. The applicable block:

Technical Contact:
Abuse, Amazon Webservices abuse@amazonaws.com
Amazon.com, Inc.
P.O. Box 81226
Seattle, Washington 98108
United States
2062664064 Fax -- 2062667010

I did, however, get a response from a live person at webservices@amazon.com, so...we'll see.

In light of my experience, though, I find this story to be somewhat ironic. To quote Kate at their webservices address, "It looks like these intrusion attempts initiated from Amazon EC2, a dynamic hosting environment." Hopefully they do their part to lock it down.

Re:Terms of Service

[mysidia]

False.

Billing someone's CC company an amount is not a legal way of forcibly obtaining a remedy for breach of contract.

Anymore than they could legally write a check out to themselves for $1000 and forge your signature if you had agreed to pay.

Authorization for a charge to be made against a certain CC is very specific and cannot be created merely by a paragraph in a Terms of Service agreement of any sort.

Specific authorization is required for the exact payment, otherwise it is a deceptive practice, illegal under the FCBA; although the FTC may have the last word on that one.

An agreement in advance to pay in case of breach of agreement is not an authorization to charge a CC.

Before Amazon can attempt to obtain a remedy for supposed breach of contract, they still have to sue, and have the amount awarded by the court (or by binding arbitration).

In case Amazon were to foolishly issue a $1000 unauthorized charge, and their bank were to refuse to correctly reverse said unauthorized charge: the customer can simply refuse to pay the bank/CC company the amount in dispute.

Cease all business with said bank, close account, etc, and sue the bank for whatever if any adverse action the bank might attempt to enforce the charge that was unauthorized (and was therefore the bank's liability).

Re:Terms of Service

[merreborn]

Don't like their terms? Don't use 'em!

That was my point. I'd anticipate that *many* people would find these terms unacceptable, and choose not to "use 'em". I would also expect that amazon's well aware of this, and would never implement such absurd terms in the first place.

Re:Terms of Service

[Buran]

True.

I have personally heard from people who have been billed for not living up to an agreement, then tried to dispute the charge, and were told that the agreement they signed states that their behavior automatically incurs a charge. They lost the chargeback dispute.

Re:Terms of Service

[mysidia]

Banks findings may in a sense be arbitrary, depending on the manner in which an item is disputed and what claims are made in the dispute. Different conclusions may be reached, according to different particulars, so a personal anecdote or two about what a bank did is meaningless.

The process doesn't end just b/c the bank happened to decide one way or the other.

The FCBA permits the one done wrong to sue the bank based on, for example, the quality, or lack of merchandise received in exchange for the charge.

The provision of a contract that bills $1,000 for sending 100 e-mails is likely to be found to have an unenforcable provision.

Re:Terms of Service

[KURAAKU+Deibiddo]

Apparently my earlier impression of Amazon seems to be correct, as I heard back from them a few hours ago, and what they had could be summarized like this:

We received your report. We made some minor effort to look into it and it did come from our network, but we didn't do it. Please look at this URL which talks about buying service from us. We do make some pretense at caring, because the customer's actions are prohibited by our terms of service. However, they've terminated usage a few days ago, but we contacted them. In the future, it would be useful if you would report problems by sending us exactly the same information you sent us, but we'll insult you by listing it in a bullet-point list as if you were an idiot. Because we've confirmed that the malicious customer is no longer using that IP address, you should unblock it, because it prevents our new customers from being able to reach you.

Thanks again, we'll busily do nothing to solve this problem.

Apathetic Amazon Drone

Terminate accounts not instances?

[teh+kurisu]

Why aren't Amazon terminating the accounts of offenders, and blacklisting whatever payment method they're using? It's a paid service, it's not like spammers can register for new accounts as much as they like, they're going to run out of credit card numbers (well, assuming their activities aren't more nefarious than mere spam).

It's not in Amazon's interests to have EC2 blacklisted.

Re:Terminate accounts not instances?

[RabidMoose]

I agree with parent. This should be a non-issue. Just shut the account off, (possibly with a fine, as suggested elsewhere), and disallow the account holder from creating another account.

Re:Terminate accounts not instances?

[dedazo]

I agree of course, but how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?

Nothing prevents Joe Spammer from creating a second account as Joe Spammer Thornton III a day after the first one is turned off. The capabilities of Amazon's cloud are too juicy to pass up.

Re:Terminate accounts not instances?

[RabidMoose]

Easy enough. Just require that Mailing Address == Billing Address. Sure, it won't stop 100%, but it'll certainly make it a lot harder (and more expensive) on them.

Re:Terminate accounts not instances?

how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?

How about a driver's license or other gov't-issued ID? Do whatever the CAs say they do.

How are these people paying Amazon: cold, hard anonymous cash? Probably not. Supplying an ID when you pay for something by credit card or check, isn't all that unusual in retail business.

But it's unusual in online business. Well, maybe it shouldn't be, if the person who is paying you has as much incentive to fuck you over, as spammers do.

Re:Terminate accounts not instances?

[Todd+Knarr]

Amazon has billing information for those accounts. Money changes hands. So, require that the name and address given to Amazon when setting up the account match the billing name and address of the credit card used to pay for the services. Most mail-order and on-line merchants do that already, and won't ship except to the billing name/address. Then block known pre-paid debit card numbers and one-time card numbers. Not perfect, but it should knock down 90% of the problems and make it a lot harder for a criminal to get a new account not tied to a consistent identity.

Re:Terminate accounts not instances?

[Chris+Burkhardt]

I agree of course, but how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts?

Yes.

Re:Terminate accounts not instances?

[rnswebx]

I think you're missing the point. If the offenders have stolen credit cards, they likely also have the correct name and address to go along with them. Adding electronic verification does absolutely nothing to solve the problem, unless we start requiring matching state issued IDs or SSNs to our cards. The obvious problem with that is now we're allowing even more private, extremely sensitive data to flow across the internet.

It's a difficult problem to solve; certainly more so than simply requiring matching names and addresses to a credit card.

Re:Terminate accounts not instances?

[gnuman99]

You cannot "fine" anyone for anything. Amazon does not create the law which can punish users.

What Amazon can do is have a "service reactivation fee" that is required to be paid to reinstate suspended accounts.

Re:Terminate accounts not instances?

[Todd+Knarr]

There's actually a solution to that, but it involves slowing the process down. Just don't activate the account once the information's entered. Instead, send a physical letter to the credit-card billing address. You can require a form to be signed and returned, or just include an activation code in the letter that has to be entered to turn the account on. That should make it infeasible to use 99% of stolen cards. It introduces a few days of delay between requesting the account and getting it, but IMO if you intend to use the account for any length of time a few days shouldn't be an issue and if you don't then you're likely exactly the kind of person this is intended to filter out.

Re:Terminate accounts not instances?

[rnswebx]

I remember when PayPal did that when I opened my account back in 2000. I'm not sure if they still do that, but it certainly is a solution. It adds significant time, infrastructure (auto mailing facilities, employees, machines, etc) -- which all boil down to cost. I didn't like waiting the 4 or 5 days for my secret pin to arrive. On the other hand, if I applied for an account and either my pin didn't work or I never received it and I had to go through it multiple times, I'd probably start looking at other solutions.

Re:Terminate accounts not instances?

[adpowers]

You assume it is that easy? I mean if Amazon had this huge retail arm that they could leverage that had to deal with credit card fraud for the past decade, then maybe, but a small startup like Amazon? You ask too much sir!

Sheesh, seems like a match made in heaven

[fuzzy12345]

Previously, senders of large volumes of paid-for (by the sender) yet unwanted (by the receiver) emails had to corral their own clouds of distributed, low-cost computing resources (a.k.a botnets). Amazon provides similar capabilities for pennies an hour. Both Amazon's and the emailers' business models work, and questionable penetration of third parties' computers is no longer required.

Somebody finally solved the ????? = Profit equation. What's everyone getting so worked up about?

Re:Sheesh, seems like a match made in heaven

[QuantumRiff]

Amazon will fix this, as soon as they have an incentive to do so. IE, if enough blocklists start adding their IP's, customers will threaten to take their business elsewhere, as their legitimate emails are not going through.. then, and only then, will amazon act (and only if the cost benefit to fix are less than the development time, and income from spammers). Would you expect a corporation to do differently?

How is this different from any colo...

[gravyface]

or virtual/private server company? And what would happen to the spammers? Account cancelled, so they'd just find another colo/host, or use one of many stolen credit cards to register another account with same host, under a different name. How is this any different?

Re:How is this different from any colo...

[klingens]

The hoster terminates the client and won't sign him up again. Amazon could easily do he same but doesn't. Instead the only terminate the instance.

Re:Delicious Spam

[jeff419]

Spammers with unlimited computing power?? Where do i sign up?

Re:So what is EC2?

[jamie]

The top hit from Google would have told you. It's Amazon's Elastic Compute Cloud.

I'd RTFA but...

[Thelasko]

I'm afraid taint.org might not be safe for work.

Re:I'd RTFA but...

[LMacG]

My thoughts exactly. Luckily, Brian Krebs at the Washington Post wrote about this in his Security Fix blog.

Re:I'd RTFA but...

[Thelasko]

Excellent, thanks!

Terminate the account!

[SanityInAnarchy]

Once they have the name of the instance, they also know who launched it -- after all, they are billing someone.

I like the suggestion to charge a large fee to the credit card they have on file, but what about simply banning the account in question?

Re:So what is EC2?

No, it's apparently something in the Amazon. I guess Brazilian deforestation is a major contributor to the global increase in salted canned pig meat.

Honeynet Project

[fatrat]

The UK Honeynet Project spotted this a few days earlier :) http://www.ukhoneynet.org/2008/06/30/it-had-to-happen

Amazon needs to offer a spamfree block

[MattW]

Offer a spamfree block of IPs using their persistent IP offering, and let people put in a large deposit when getting an IP there. If they spam, confiscate the deposit. Use the interest on the deposit to offset the cost of triaging abuse complaints.

Although if mail is incidental to your business you can probably just host a relay offsite.

It's a problem? Really?

[EdIII]

Here is a wild idea... WILD.. Off the hook insanity....

Just block ALL of EC2 from being able to send out anything on port 25 and 587.

Problem solved. Last time I checked EC2 has a lot more interesting uses than running mail server software.

Re:Require DKIM

[Kalriath]

EV certificates cannot sign mail, only server to server communication. E-mail signing certificates cost about $30, and require absolutely no proof of identity, just existence. This is no barrier whatsoever.

How about improving the monitoring?

[Amamdouh]

I think all the ideas of placing a deposit or putting an extra charge per message are against the EC2 model. The whole idea is to offer a high capability solution at a low entry price that scales easily.
Spammers and abusers tend to have distinctive patterns and this what Amazon should be paying attention to. Ie. some guy using a US credit card, logging to his instance from eastern Europe and sending a zillion emails messages the second day after sign up should raise some doubts. Manual inspection of suspicious traffic can be very costly but they can easily build a growing list of trusted customers who use the service for legitimate reasons and monitor suspicious traffic from new registrations.

Re:It's a problem? Really?

[uncqual]

If this would work, it would probably need to be combined with one of the other ideas above -- either requiring additional verification or posting a bond to remove the filters from instances created under a verified/bonded account. Some users will have legitimate reasons to send emails (some a few, some many) but many probably don't.

Re:So what is EC2?

[SleepyHappyDoc]

Wikipedia says it's the north eastern corner of the city of London, roughly. I don't get the article, either.

instead of trying to collect after abuse,

[LukeCrawford]

why not run an inward facing IDS- something like snort. It's easy enough to setup a script that automatically terminates accounts of people sending abuse, and to do it on the first instance of that abuse.

Re:So what is EC2?

So what you're saying is we basically we had a unique opportunity for a slashdot user to get lucky?

Re:Meter the email

[LostCluster]

That just establishes spam as $10 CPM ads. That'll clear out the inbox so the more profitable things (including things that can't get ads elsewhere in the USA because they're taboo) will get even more visiblity.

Re:slashdot users smoke crack

[Mr.+Roadkill]

(Damn. I've got modpoints, and professional experience at mailfiltering too - but I'll never find this thread again if pyster replies and I've posted AC... )

Which blacklist, and what reasons did they give for listing you? You want to whine and rant? Fine, that's what Slashdot seems to be made for. But if you want your point to be taken seriously and not modded into oblivion, give us the information that will allow us to make informed assessments of your claims about the lameness of the blacklist - and, possibly, the lameness of the admin of the site that chose to use that particular list too, if things are as you say they are. Some lists are dangerous if used inappropriately for some mail streams, but most of the better-known ones are safe and extremely powerful tools if used responsibly (and that includes having a working postmaster@ address and a willingness to communicate with and work with those who find themselves blocked). Spam is a serious problem, and for many places the best first-level defence against their servers being overwhelmed is judicious use of carefully selected blacklists.

For what it's worth, I find blacklists utterly invaluable. The MX servers under my control consult several for straight-up blocking (with a few local whitelistings where appropriate), and a few more for SpamAssassin scoring purposes. We're blocking about half a million messages per day, and get maybe eight queries per months about "accidentally" blocked mail - almost none of which are directly due to an errant blacklisting these days. Most of what we block is due to straight-up rejection due to inclusion in a blacklist, and the last query we got about that kind of block was due to some site that got itself listed in the CBL - boo-fricken-hoo, they deserved it and once I explained the situation they were thankful that we blocked them using the CBL because they were able to fix the problem before they got a Spamcopping or worse.

I don't know your exact situation. For all I know, you could have a legitimate beef about how some particularly crappy blacklist is created and operated. Conversely, you could just be another whiney person who likes to complain because their personal system with a generic-looking and not-clearly-static PTR got listed somewhere because 80% of the /24 it's in is part of various botnets (and if that's the case, I've got a whole lot of helpful information that would help you improve deliverability here and at many other places, now and forever, without changing providers). There could be a real problem with a particular list, or you could just be tilting at windmills and be much better off addressing the underlying issue that caused the listing and moving on. Tell us what the issue was, let us make up our own minds. Hell, you might even learn a thing or two - as, indeed, might I if there's any merit to your claims.

Right, we just need the banks to not be stupid.

[Gazzonyx]

So long as it's not your stupid bank storing unencrypted info on tapes that went MIA. I guess the few million people that it has happened to this year, alone, would be annoyed, if not stupid.

PBL is the wrong blacklist to whine about

[Mr.+Roadkill]

Of course it gave me a reason. 554 Denied [SHPBL] - Denied by Spamhaus PBL along with a nice url. I'm not willing to give up any more details than that as I am not interested in posting any of the related ips.

Ah, the PBL. That's where your argument falls to pieces.

From http://www.spamhaus.org/pbl/index.lasso :

PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.

So, your ISP told Spamhaus that mail shouldn't be coming from the range your IP address is in. Not Spamhaus making a trite, petty and vindictive block for the fun of it. Not some blacklist deciding in error to block a whole /24 full of static addresses with REAL rDNS records for most of it because they found a couple of zombied machines with vaguely generic-looking PTRs in it. This is a case of the people you pay for connectivity telling Spamhaus that the rest of the world should not accept mail from your IP address or others near it until further notice - they're being good neighbours, and are to be applauded.

If you have a static address you can poke a hole in the PBL for it pretty easily - *you* can provide that further notice:

A feature of the PBL is the elimination of 'false positives' with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).

Do your research. The PBL is pretty damn useful, and you probably qualify for free use. If you have an unfiltered postmaster address on your domain (you do, don't you?) the smart thing would be to start blocking with it but make sure the rejection contains something like "Rejected: $IP_ADDRESS listed in Spamhaus PBL ( http://lookup-urlip_address/ ) - please contact postmaster@whineyblacklisthater.org for assistance if required" - you'll find that the "false-positives" for it are almost invariably from people who don't know what the PBL is and want to do their own thing, regardless of the practicalities the rest of the world has to face. Why should I or anyone else accept mail from somewhere your own ISP or their upstream provider has said I shouldn't?

Re:slashdot users smoke crack

[Jerry+Smith]

Why do all the antispam nazi's solutions ignore the collateral damage to innocent by standers? "They should educate themselves" "they should switch providers" they scream. Black lists do nothing but break the system. I'd rather get all the spam than have important mail bounce. Just last week I had a mission critical email bounce because of some lame blacklist. This email not getting to its recipient would have basically ruined my life. Its a good thing I have the ability to send mail from more than once source.

If you formulate your mails the same way you usually formulate your posts on Slashdot , I'm really not surprised, Mr. Fr0sti P1ss GNNA.

Re:slashdot users smoke crack

[blane.bramble]

You do realise the PBL is used by your ISP to tell Spamhaus that email should not originate from certain IP ranges - it appears you or the sender are sending out email from an IP range THAT IS NOT SUPPOSED TO DIRECTLY SEND. The fault is not with Spamhaus. You really do need to educate yourself about email.

Re:So what is EC2?

[lightversusdark]

2 miles East of the Centre.

Congratulations Amazon!

[giafly]

You have created a legal botnet with as bad a reputation as the illegal botnets.

From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment - link

Re:So what is EC2?

[AlexBirch]

Yeah but high school physics would have told me MC4.

~~~
Write in Cowboy Neal for President and Alex Birch for Vice-President.

Re:slashdot users smoke crack

[Ciarang]

Seriously, an email not being delivered would have ruined your life? Who's smoking crack?